Canadian, U.K. residents affected by Equifax breach

Equifax has not said how many Canadians were affected or what data was stolen
Ross Marowits, The Canadian Press on September 8, 2017

Canada’s Privacy Commissioner has asked credit monitoring company Equifax to provide a full report on its large-scale security breach, including details on how Canadians were affected.The agency reached out to the company Friday after it received complaints about the hack of sensitive personal.
Related: Cyber attack on Equifax exposes 143 million to identity theft
“Given the potential sensitivity of the information, we expect that Equifax will adopt measures to help affected individuals,” spokeswoman Valerie Lawton wrote in an email.
Canadians are getting little information from Equifax regarding the status of their personal information after the company revealed on Friday that it was the victim of a massive security breach during the summer.
Equifax said the private information of up to 143 million people in the United States had been compromised, along with certain Canadian and U.K. residents. The company is refusing to say how many Canadians were affected or what data had been stolen in those cases.
Equifax also said it would work with Canadian and U.K. regulators but didn’t disclose which ones were involved.
Related: Chubb brings new cyber coverage to market
In the United States, the theft included consumers’ names, Social Security numbers, birth dates, addresses and, in some cases, driver’s licence numbers.
Equifax Canada said Friday it had no information to add to what its parent announced.
Equifax discovered the hack July 29, but waited until Thursday to warn consumers. It’s not unusual for authorities to ask a company to delay public notice of a major hack so that investigators can pursue the perpetrators.
The Atlanta-based parent company has set up a dedicated website and call centre to help consumers determine if their information may have been affected.
The website is www.equifaxsecurity2017.com and the call centre is at 877-323-2598.
However, it may be prudent to wait before checking the status of your information. Social media users have flagged language on Equifax’s website that appears to suggest that people who sign up for its TrustedID Premier security service waive their rights to participate in a class-action lawsuit.
New York State Attorney General Eric Schneiderman tweeted that such language was “unacceptable and unenforceable”. “My staff has already contacted Equifax to demand that they remove it,” he added.
There have been cases where Canadian consumers have launched class action suits after learning their information had been involved in a cross-border cybersecurity breach.
Bob Hudyma, a cyber security expert, at Ryerson University’s Ted Rogers School of Information Technology Management, said Equifax is being tight-lipped over concerns about other lawsuits.
“There’s no doubt that their legal department has been very, very busy in insuring that they maintain the strongest possible position in these unfortunate circumstances,” he said in an interview.
Shares of Equifax were down more than 14% at US$122.63 in heavy trading Friday afternoon at the New York Stock Exchange.
The credit scores compiled by Equifax and similar companies, such as TransUnion and Experian, are used by lenders to decide whether to approve financing for homes, cars and credit cards.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax CEO Richard Smith said in a statement. “I apologize to consumers and our business customers for the concern and frustration this causes.”
Prior to the Equifax release, the biggest hack on record involving Social Security numbers involved about 80 million people during a hack at health insurer Anthem Inc.
Yahoo, which was targeted in at least two separate digital burglaries that affected more than one billion of its users’ accounts throughout the world, currently holds the record for the biggest release of confidential information.
The California-based Internet company, which has since been acquired by American telecom carrier Verizon, didn’t reveal a 2013 cyberattack until September 2016.
But Yahoo’s breach didn’t release Social Security numbers or drivers’ licence information — two pieces of government-issued information that are commonly used to determine a person’s identity.
With files from the Associated Press